US10187427B2ActiveUtilityA1

Networking flow logs for multi-tenant environments

83
Assignee: AMAZON TECH INCPriority: Mar 30, 2015Filed: May 25, 2017Granted: Jan 22, 2019
Est. expiryMar 30, 2035(~8.7 yrs left)· nominal 20-yr term from priority
H04L 43/0876H04L 63/1433H04L 63/1408H04L 63/0227H04L 43/067H04L 63/20H04L 63/0245H04L 67/02H04L 63/205H04L 63/1425
83
PatentIndex Score
4
Cited by
31
References
20
Claims

Abstract

Computing resource service providers may provide computing resources to customers in a multi-tenant environment. These computing resources may be behind a firewall or other security device such that certain information does not reach the computing resources provided to the customer. A logging entity may be implemented on computer server operated by the computing resource service provider. The logging entity may obtain log information from the firewall or other security device and store the log information such that it is accessible to the customer. Additionally, the log information may be provided to other services such as a metrics service or intrusion detection service.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method, comprising:
 receiving a request from a customer of a computing resource service provider to enable logging for a virtual computer system instance of the customer, the virtual computer system instance from one of a plurality of virtual computer system instances managed by the computing resource service provider for different customers; 
 as a result of receiving the request, filtering, by a firewall, network traffic directed to the virtual computer system instance; 
 obtaining a set of network traffic logs generated by filtering network traffic directed to the virtual computer system instance; 
 retrieving, from the set of network traffic logs, network information associated with the virtual computer system instance, the network information including at least information indicating a source network address, a destination network address, and a firewall decision indicating whether at least a portion of the network traffic was allowed or denied according to a security policy enforced by the firewall; and 
 providing the network information to a destination associated with the customer. 
 
     
     
       2. The computer-implemented method of  claim 1 , wherein the destination comprises a metrics service of the computing resource service provider that provides the customer associated with the virtual computer system instance with metrics information. 
     
     
       3. The computer-implemented method of  claim 1 , wherein the destination includes a metrics service indicated by the customer. 
     
     
       4. The computer-implemented method of  claim 1 , wherein the destination is at a storage service of the computing resource service provider accessible to a customer. 
     
     
       5. The computer-implemented method of  claim 1 , wherein the computer-implemented method further comprises generating a visualization of network traffic associated with the virtual computer system instance based at least in part on the network information. 
     
     
       6. The computer-implemented method of  claim 1 , wherein the destination further comprises an intrusion prevention system that updates the security policy based at least in part on the network information. 
     
     
       7. A system, comprising:
 one or more processors; and 
 memory that stores computer-executable instructions that, if executed, cause the one or more processors to:
 receive a request from a customer of a computing resource service provider to enable logging for a virtual computer system instance supported by computing resources of the system, hosted by a computing resource service provider, and managed by the customer, where the system supports a plurality of virtual computer systems and at least a portion of the plurality of virtual computer systems are managed by other customers; 
 receive one or more data packets at a network interface of the system, where the one or more data packets are associated with a set of network flows directed to the virtual computer system instance; 
 filter the one or more data packets at a firewall based at least in part on one or more security policies, where the one or more security policies indicate whether to allow or deny a particular data packet based at least in part on information contained in the data packet; 
 as a result of fulfillment of the received request causing logging to be enabled, obtain log information indicating a source internet protocol (IP) address, a destination IP address, and a firewall decision indicating whether data packets were allowed or denied according to the one or more security policies, the log information corresponding to the filtering of the one or more data packets and a set of actions performed by the firewall in filtering the one or more data packets; and 
 provide the log information to a destination accessible to the customer. 
 
 
     
     
       8. The system of  claim 7 , wherein the destination comprises an intrusion prevention system. 
     
     
       9. The system of  claim 8 , wherein the memory further includes computer-executable instructions that, if executed, cause the one or more processors to:
 cause the intrusion prevention system to generate an update to the one or more security policies based at least in part on the log information; 
 obtain the update; and 
 modify the one or more security policies based at least in part on the update. 
 
     
     
       10. The system of  claim 7 , wherein the destination comprises a metrics system. 
     
     
       11. The system of  claim 10 , wherein the memory further includes computer-executable instructions that, if executed, cause the one or more processors to:
 cause the metrics system to generate metrics information based at least in part on the log information; 
 obtain the metrics information; and 
 transmit an alarm to the customer associated with the virtual computer system instance based at least in part on the metrics information. 
 
     
     
       12. The system of  claim 7 , wherein the system supports an execution of a plurality of virtual computer system instances of which the virtual computer system instance is a member. 
     
     
       13. The system of  claim 12 , wherein the firewall is responsible for filtering data packets directed to the plurality of virtual computer system instances. 
     
     
       14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
 fulfill a request from a customer of a computing resource service provider to enable logging for a virtual computer system instance supported by computing resources hosted by a computing resource service provider, where the computing resources support a plurality of virtual computer system instances that are managed by different customers; 
 filter network traffic at a firewall, at least a portion of the network traffic directed to a set of computing resources used at least in part to support the virtual computer system instance managed by the customer based at least in part on one or more security policies; 
 as a result of enabled logging, obtain, from the firewall, network traffic log information including at least an indication of a source computing resource, a destination computing resource, and an operation to allow or deny network traffic performed based at least in part on the security policy; 
 retrieve, from the obtained network log information, log information corresponding to the virtual computer system instance; and 
 provide the obtained log information to a storage service for persistent storage. 
 
     
     
       15. The non-transitory computer-readable storage medium of  claim 14 , wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to provide the log information to the virtual computer system instance. 
     
     
       16. The non-transitory computer-readable storage medium of  claim 14 , wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to generate a set of visualizations indicating one or more attributes of the network traffic based at least in part on the network traffic log information. 
     
     
       17. The non-transitory computer-readable storage medium of  claim 14 , wherein the instructions that cause the computer system to fulfill the request further include instructions that cause the computer system to obtain a command based at least in part on the customer interacting with a management console provided by the computing resource service provider. 
     
     
       18. The non-transitory computer-readable storage medium of  claim 14 , wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to transmit the network traffic log information to a computing resource managed by the customer. 
     
     
       19. The non-transitory computer-readable storage medium of  claim 14 , wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
 obtain second network traffic log information from a second firewall implemented by a second computer system distinct from the computer system; and 
 cause a metrics service to generate metrics information based at least in part on the network traffic log information and the second network traffic log information. 
 
     
     
       20. The non-transitory computer-readable storage medium of  claim 19 , wherein the second log information is generated by the second firewall based at least in part on network traffic directed to a second virtual computer system instance provided by the computing resource service provider, where the virtual computer system instance and the second virtual computer system instance are operated by a customer.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.